Synthesis: March 30, 2026
Twelve projects ran today. That’s every active codebase in the fleet. A few shipped features. Most shipped something harder to see and more valuable: the boring work of making systems honest about their own state. Scout runs, dead code removal, error boundaries, input validation, security hardening. The kind of day where nothing flashy happened and everything got better.
Here’s what actually mattered.
Authexis
The flagship had a production stability day. Thirteen issues closed, all queues emptied. The headline was a Sentry cleanup — rate limiting errors (985 events worth), a handler crash on string payloads, a sync chat() call bypassing the Claude semaphore, a missing GITHUB_TOKEN on Railway. Each one was a small fire. Together they were noise drowning out real signals. All resolved now.
The Sleekplan integration replaced Featurebase for the feedback widget and got wired into the changelog generator, so release notes now push to Sleekplan automatically. Two dead service modules were removed — inputs_audit.py (223 lines) and inputs_enrich.py (284 lines), vestigial from an earlier pipeline design that nobody remembered existed until grep confirmed nobody was calling them.
v1.5 milestone: 49/50 closed. One issue left.
Diktura
Came back from a 66-day gap. The project migrated stacks while nobody was looking — Rails to Next.js 16 + Supabase + Python engine — and today was about making that new stack actually deploy. Railway was crashing because get_settings() ran at import time before env vars were available. Vercel was failing on TypeScript implicit-any and a missing node_modules in the web/ workspace. Auth guard added to the (app) layout, dead admin client helper removed, .scout.yml created, 7 new issues filed from the first scout scan.
The project is early-stage but the bones are right. Railway isn’t linked yet and DNS isn’t configured — can’t go live until both are resolved.
Dinly
A hardening marathon. Fourteen issues closed across three themes: error boundaries (28 boundaries + 5 not-found pages covering every route segment), TypeScript test fixes (21 errors across 11 files from Vitest 4.x’s changed Mock typing), and input validation (server-side validation on family member CRUD and the household setup action — the latter being critical since it uses the admin client that bypasses RLS).
All milestones complete (Phase 1-4, March 2026). Two issues remain ready-for-dev: dependency updates and admin loading states. 327 tests passing, zero TypeScript errors, zero npm audit vulnerabilities. This codebase is clean.
Eclectis
Quiet day. Nine-dimension scout scan found nothing actionable — the March launch sprint left the codebase in solid shape. Sentry was clean (one browser-extension noise issue, zero real errors in 7 days). One new user-filed issue (#644, bulk operations on search terms) was left for human triage since it needs product direction.
The only thing worth noting: pydantic-core can’t be upgraded independently of pydantic due to pin conflicts. Not a problem today, will be eventually.
Forgeworld
Test coverage hit baseline — 65 tests across 10 files covering auth helpers, API routes, server actions, and form components. A scout run found that security headers only applied to authenticated routes (proxy matcher too narrow), the (app) route group lacked an error boundary, and the validate page had no loading skeleton. Two of three were fixed immediately (#84, #85). The security header scope (#82) is the most impactful carry-over — public pages currently have no X-Frame-Options or X-Content-Type-Options.
Also flagged: the proxy matcher excludes /login and /signup from Supabase session refresh, meaning stale cookies for users who visit login while already authenticated (#86).
Phantasmagoria
Full diagnostic day. Seven parallel scout agents scanned every dimension and surfaced 30+ findings. The headline: resource_gain_scaled — the new default effect type per the March 28 decision — is completely invisible to all three validation layers. The most commonly generated effect type has zero validation. Filed as #261.
One concrete fix shipped: sys.exit(1) in phmg/config.py replaced with a proper ConfigError exception class, making errors catchable by callers. 451 tests pass. Five issues filed from scout findings. The test-coverage picture is concerning — the 451-test count looks healthy, but coverage is concentrated in renderer/validator layers while the generation pipeline (stage2_runner.py, renderability_contract.py, followup_generator.py) is entirely untested.
Polymathic-h
The blog became a multi-author platform. Author metadata in hugo.toml, byline rendering on single posts and list teasers, per-post attribution in RSS (dc:creator), podcast feed (itunes:author), JSON-LD, and social meta tags. Posts without an author field default to Paul.
Three posts published today — two as “Skopos” (the original companion name) and one as “Charlie” (the renamed companion). The Skopos-to-Charlie rename is partially complete: freetime.md updated, but hugo.toml authors map and the /skopos/ about page still need migrating. Newsletter #17 sends tomorrow at 11am ET.
Scholexis
Security and hardening session. Next.js upgraded from 16.1.6 to 16.2.1 (five CSRF/security advisories resolved). npm audit fix cleaned transitive dependency vulnerabilities — from 9 vulnerabilities (3 high) down to 4 moderate dev-only issues locked inside drizzle-kit’s esbuild dependency. The energy widget’s quick check-in was the last form in the app that silently swallowed errors — now uses toast.error() like everything else. Deep scout confirmed the codebase is in solid shape: every server action uses requireAuth() + Zod, every client form has proper error handling, every list page has empty states, every route has loading.tsx.
Next.js port: 109/113 closed. Four remaining.
Skillexis
Broke a five-day idle stretch. Two scout sessions filed 10 new issues. Four shipped: workspace_id security filter on score-response (#213), npm audit + Next.js 16.2.1 upgrade (#211), middleware.ts → proxy.ts rename (#209), dead code removal (#201).
The Supabase project is unreachable — DNS doesn’t resolve, likely paused to save costs. This blocks all DB-dependent development including the already-coded #172 (lesson context for simulation practice). Workspace scoping is a systemic security gap tracked across 5 open issues, with writeCommand client-side trust (#215) being the most concerning.
Synaxis-h
Maintenance session. Caught up with remote (several commits behind from March 23-25), ran two scout passes. The methodology diagnostic page got a CTA section. .scout.yml committed. Eleven scout passes total, 65 issues lifetime (all closed except 3 awaiting human clarification on analytics strategy, apple-touch-icon, and case studies). The codebase is comprehensively clean from an infrastructure perspective — all remaining work is business-driven.
Textorium
Code health day. The highest-impact fix: git add . in GitService was silently staging all files including .env and build artifacts. Switched to git add -u — a genuine security fix. Three other fixes: waitUntilExit() blocking the cooperative thread pool (replaced with async terminationHandler), HTMLToMarkdown recompiling regex on every invocation (now cached as static properties), and 165 lines of dead view code removed (DatabaseRowView, DatabaseCellView, FlowLayout from an abandoned card-based layout). v1.0.5: 16/16 closed.
Textorium-tui
A data-safety sprint. Five issues closed, all tracing back to PRODUCT.md principle #4: “Safe by default. Never destroy data.”
The headliner: save_post now does atomic writes (temp file → fsync → POSIX rename) so a crash mid-write can’t corrupt a user’s markdown file. Content dirty tracking was broken — smart quotes modified post.content but dirty detection only checked frontmatter, so content-only changes weren’t saved by Ctrl+S. Fixed with original_content tracking. Single-post editor reload replaced the full scan_posts that was silently discarding unsaved edits on other posts. Flaky CLI tests from unsafe { std::env::set_var("HOME") } (undefined behavior in Rust 1.78+ with parallel tests) fixed with config injection — went from 3-5 random failures per run to 62/62 passing consistently.
Cross-cutting themes
The great hardening. Nine of twelve projects ran scout scans today. The pattern is unmistakable: the fleet is shifting from feature development to production readiness. Error boundaries, input validation, security headers, dead code removal, dependency upgrades. This isn’t glamorous work. It’s the work that determines whether the software survives contact with real users.
Next.js 16.2.1 swept the fleet. Scholexis, skillexis, dinly, and diktura all upgraded today, resolving five CSRF/security advisories. The middleware.ts → proxy.ts rename is propagating. Forgeworld and authexis are next.
Workspace and auth scoping. Multiple projects discovered that security filters were incomplete — skillexis has a systemic workspace_id gap across 5 issues, dinly added RLS-bypassing admin client validation, diktura added auth guards that were previously missing. The scout is finding these because the scanning dimensions now explicitly include security scoping.
Test coverage is the universal gap. Phantasmagoria’s generation pipeline is untested. Scholexis has zero server action tests. Authexis has 14 untested engine handlers. Diktura has zero tests in the entire new stack. The tests that exist are good — the problem is where they don’t exist yet.
Dead code removal continues. Authexis cut 507 lines of dead service modules. Textorium removed 165 lines of abandoned view code. Skillexis removed unused actions and utilities. Phantasmagoria identified an entire orphaned validation file. The fleet is getting leaner.
Carry-over
- Authexis v1.5: 1 issue from the finish line (49/50 closed)
- Polymathic-h Skopos→Charlie rename:
hugo.toml,/skopos/page, existing post frontmatter need updating - Skillexis Supabase: Project unreachable, blocking all DB-dependent work including the already-coded #172
- Phantasmagoria resource_gain_scaled: Default effect type has zero validation across all three layers (#261)
- Phantasmagoria Stage 3/4 split: Carrying over from March 29
- Diktura deployment: Railway not linked, DNS not configured — can’t go live
- Forgeworld security headers: Public pages have no X-Frame-Options or X-Content-Type-Options (#82)
- Newsletter #17: Sends tomorrow March 31 at 11am ET
Risks
| Risk | Projects | Impact |
|---|---|---|
| Skillexis Supabase unreachable | skillexis | Blocks all DB-dependent development, including completed feature branch |
| Generation pipeline untested | phantasmagoria | Core pipeline has zero test coverage — bugs ship silently |
| resource_gain_scaled validation hole | phantasmagoria | Most common effect type bypasses all validation |
| No tests in new stack | diktura | Every change verified by build + curl only |
| 14 untested engine handlers | authexis | Standing risk, unchanged from yesterday |
| Python 3.9 EOL | phantasmagoria | No security patches since October 2025 |
By the numbers
| Project | Issues closed | Issues filed | PRs merged | Milestone status |
|---|---|---|---|---|
| authexis | 13 | 0 | — | v1.5: 49/50 |
| diktura | 4 | 7 | — | — |
| dinly | 14 | 4 | — | Phase 1-4: complete |
| eclectis | 2 | 1 | — | — |
| forgeworld | 3 | 5 | — | — |
| phantasmagoria | 1 | 5 | — | — |
| polymathic-h | 0 | 0 | 4 | April 2026: 3/3 |
| scholexis | 2 | 0 | — | Next.js port: 109/113 |
| skillexis | 4 | 10 | — | Sim practice: 3/4 |
| synaxis-h | 3 | 0 | — | — |
| textorium | 5 | 0 | — | v1.0.5: 16/16 |
| textorium-tui | 5 | 2 | — | v1.0.3: 1/2 |
| Total | 56 | 34 | 4 |
Why customer tools are organized wrong
This article reveals a fundamental flaw in how customer support tools are designed—organizing by interaction type instead of by customer—and explains why this fragmentation wastes time and obscures the full picture you need to help users effectively.
Infrastructure shapes thought
The tools you build determine what kinds of thinking become possible. On infrastructure, friction, and building deliberately for thought rather than just throughput.
Server-side dashboard architecture: Why moving data fetching off the browser changes everything
How choosing server-side rendering solved security, CORS, and credential management problems I didn't know I had.
The work of being available now
A book on AI, judgment, and staying human at work.
The practice of work in progress
Practical essays on how work actually gets done.
Your design philosophy is already written
Builders who work across multiple projects leave fingerprints everywhere. The same mind solves the same problem differently in every domain — and usually doesn't notice. You need someone to read it back to you.
The day nothing satisfying happened
The most productive day in an organization's life usually looks like nothing happened. No launches, no features, no announcements. Just people quietly making the existing work more honest.
Your AI agent is probably not an agent
The word 'agent' has become meaningless. Everyone from chatbot vendors to autonomous system builders uses it. We've been here before — with self-driving cars — and it didn't end well.